Double NAT port forward

Double NAT port forward

[Henno Täht]

Hello!

Is it possible to make double nat port forward? Topology:

SOME INTERNET MACHINE
1.1.1.1 (real public IP)

       V

OUTER_GW
eth0: 2.2.2.228/27 (real public IP)
eth1: 192.168.1.1/24

        V

INNER_GW
eth0: 192.168.1.2/24
eth1: 2.2.2.225/27 (fake public IP)

        V

HOST
eth0: 2.2.2.249/27 (fake public IP)

I'm trying to set up simulated "real" environment for testing my
webserver. I plan to remote desktop into that subnet through double
port forwards and see how the server behaves.

While OUTER_GW forwards port 222 to INNER_GW just fine, INNER_GW sees
the SYN packet the OUTER_GW has passed it but doesn't forward it to
HOST:

root@pm-inner-gw:~# tshark -Nm -i eth0 host ! 192.168.1.1
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000 1.1.1.1 -> 192.168.1.2  TCP 1271 > 222 [SYN] Seq=0
Win=65535 Len=0 MSS=1460
  0.439790  192.168.1.2 -> 1.1.1.1 ICMP Destination unreachable (Host
unreachable)
  0.440287  192.168.1.2 -> 1.1.1.1 ICMP Destination unreachable (Host
unreachable)
  2.964403 1.1.1.1 -> 192.168.1.2  TCP 1271 > 222 [SYN] Seq=0
Win=65535 Len=0 MSS=1460
  5.969749  192.168.1.2 -> 1.1.1.1 ICMP Destination unreachable (Host
unreachable)

Is there some sort of "security feature" in the kernel that doesn't
allow packets to be forwarded from IANA's "private IP" to a "public
IP"?

TIA,
Henno Täht

Re: Double NAT port forward

[Pascal Hambourg]

Hello,

Henno Täht a écrit :
> 
> Is it possible to make double nat port forward?

Sure it is.

> SOME INTERNET MACHINE
> 1.1.1.1 (real public IP)
> 
>        V
> 
> OUTER_GW
> eth0: 2.2.2.228/27 (real public IP)
> eth1: 192.168.1.1/24
> 
>         V
> 
> INNER_GW
> eth0: 192.168.1.2/24
> eth1: 2.2.2.225/27 (fake public IP)
> 
>         V
> 
> HOST
> eth0: 2.2.2.249/27 (fake public IP)

Consider using addresses in the special range 192.0.2.0/24 reserved for
examples and documentation instead of random addresses that are not
allocated to you. See RFC 3330.

> While OUTER_GW forwards port 222 to INNER_GW just fine, INNER_GW sees
> the SYN packet the OUTER_GW has passed it but doesn't forward it to
> HOST:
> 
> root@pm-inner-gw:~# tshark -Nm -i eth0 host ! 192.168.1.1
> Running as user "root" and group "root". This could be dangerous.
> Capturing on eth0
>   0.000000 1.1.1.1 -> 192.168.1.2  TCP 1271 > 222 [SYN] Seq=0
> Win=65535 Len=0 MSS=1460
>   0.439790  192.168.1.2 -> 1.1.1.1 ICMP Destination unreachable (Host
> unreachable)

ICMP host unreachable usually indicates an ARP failure for the next hop
address. What happens on INNER_GW's eth1 and HOST's eth0 (IP or ARP) ?

> Is there some sort of "security feature" in the kernel that doesn't
> allow packets to be forwarded from IANA's "private IP" to a "public
> IP"?

Not AFAIK.

Re: Double NAT port forward

[Henno Täht]

On Fri, Jan 15, 2010 at 13:44, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
> Consider using addresses in the special range 192.0.2.0/24 reserved for
> examples and documentation instead of random addresses that are not
> allocated to you. See RFC 3330.

Thanks for the information!

> > root@pm-inner-gw:~# tshark -Nm -i eth0 host ! 192.168.1.1
> > Running as user "root" and group "root". This could be dangerous.
> > Capturing on eth0
> >   0.000000 1.1.1.1 -> 192.168.1.2  TCP 1271 > 222 [SYN] Seq=0
> > Win=65535 Len=0 MSS=1460
> >   0.439790  192.168.1.2 -> 1.1.1.1 ICMP Destination unreachable (Host
> > unreachable)
>
> ICMP host unreachable usually indicates an ARP failure for the next hop
> address. What happens on INNER_GW's eth1 and HOST's eth0 (IP or ARP) ?

Nothing happened. Complete silence.

But I got it working by specifying a larger subnet (27->24). And I'm
sure that INNER_GW's
internal interface and HOSTS IPs  weren't on different subnets. :-)